3.5
CVSSv2

CVE-2014-7828

Published: 19/11/2014 Updated: 08/09/2017
CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8
VMScore: 312
Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Vulnerability Summary

FreeIPA 4.0.x prior to 4.0.5 and 4.1.x prior to 4.1.1, when 2FA is enabled, allows remote malicious users to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind.

Affected Products

Vendor Product Versions
FreeipaFreeipa4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.1.1

Vendor Advisories

Debian Bug report logs - #768294 freeipa: CVE-2014-7828: password not required when OTP in use Package: src:freeipa; Maintainer for src:freeipa is Debian FreeIPA Team <pkg-freeipa-devel@alioth-listsdebiannet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 6 Nov 2014 10:09:02 UTC Severity: grave ...
FreeIPA 40x before 405 and 41x before 411, when 2FA is enabled, allows remote attackers to bypass the password requirement of the two-factor authentication leveraging an enabled OTP token, which triggers an anonymous bind ...